Skip to content


Types of Actions

An Action helps you execute specific tasks depending on your needs. There are 5 main types of actions in the playbooks:

The Actions Library lists all available actions in playbooks with their detailed configuration. Actions


Name Description
Get Event Field Common Values Retrieve the most common values of an ECS field based on the time window
List Assets Retrieve detailed information about assets based on a filter
Search Alerts Retrieve detailed information about alerts (such as the urgency, name of the rule, etc… except events) based on a filter.
Get Alert Retrieve detailed alert information such as the urgency, name of the rule, pattern, etc… except events.
Get Events Retrieve events based on a search. This action is equivalent to a search on the event page and takes into consideration 3 parameters: a query with filters (, and earliest time/latest time: two dates to determine the date range of the search.


Get Events can be used to retrieve events from an alert. Events associated to an alert contain the key alert_short_ids with the value of the ID of the alert.


Name Description
Create an asset Create an asset
Delete an asset Delete an asset
Add attribute to asset Add attribute to asset
Add key to asset Add key to asset
Edit alert Edit an alert details such as the urgency or the alert category
Comment alert Add a comment to the alert
Update alert status Change the status of an alert
Push Events to Intake Push one or more events to an Intake
Attach Alerts to Case Attach one or more alerts to a case.

How to update an alert status

To update an alert status, you need to copy the status_uuid corresponding to the needed action.

Action Description status_uuid
Pending This alert needs to be addressed 2efc4930-1442-4abb-acf2-58ba219a4fd0
Acknowledge Alert will be evaluated (true or false positive?) 8f206505-af6d-433e-93f4-775d46dc7d0f
Ongoing Alert might be a true positive and action must be taken 1f2f88d5-ff5b-48bf-bbbc-00c2fff82d9f
Reject It is a false positive or the alert will be not addressed 4f68da89-38e0-4703-a6ab-652f02bdf24e
Close It was a true positive and the alert has been addressed 1738b1c1-767d-489e-bada-19176621a007


To get notified, you can rely on these tools:

Data collection

If you have an account in one of the listed tools below, you can easily extract data from there and import it to This is made possible with an API key.


Name Description
fileutils Extract data from XML or JSON files
http Request HTTP resources (download file, request URL)
STIX Add source, add tags, create relationships, cryptolaemus to STIX, CVE to STIX, filter bundle, JSON objects to observables, VirusTotal LiveHunt to observables, MISP to STIX, observables to contextualized indicators, observables to indicators, remove orphan objects, STIX to MISP, string to observables

These helpers need their associated trigger to function properly:

Name Description
MISP Gather, store, share and correlate threat intelligence. Convert from MISP to STIX, publish MISP event
MWDB Convert a MWDB config to a bundle of observables
Triage Triage raw results to observables

Third-party applications

More actions are available in the Actions Library. To learn how to set up an action, please refer to its documentation.


The dynamic content is written in JINJA. For more information on this language, please follow this documentation.